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Description 

DEVICE-TO-DEVICE AUTHENTICATION SYSTEM, DEVICE-TO-DE VICE 
AUTHENTICATION METHOD, COMMUNICATION APPARATUS, 
5 " " AND COMPUTER PROGRAM"^ — ^ 



Technical Field 

The present invention relates to a device-to-device 
authentication system, a device-to-device authentication 

10 method, a communication apparatus and a computer program, for 
managing the use of the contents between devices such as music 
data, image data, digital data such as electronic publication, 
a motion picture or the like, which are distributed by a 
network or the like, in particular, to a device-to-device 

15 authentication system, a device-to-device authentication 
method, a communication apparatus and a computer program for 
managing the use of the contents within the scope of private 
use allowed by the copyright law. 

More specifically, the present invention relates to a 

20 device-to-device authentication system, a device-to-device 
authentication method, a communication apparatus and. a 
computer program for managing the use of the contents within 
the scope of private use allowed by the copyright law on a 
home network connected to an external network via a router, 

25 in particular, to a device-to-device authentication method, 
a communication apparatus and a computer program for managing 
so that each client terminal on the home network uses the 
contents legitimately acquired on a home server within the 
scope of private use allowed by the copyright law. 

30 

Background Art 
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Owing to the recent diffusion of the Internet, various 
digital contents including a computer file are actively 
distributed on a network. Moreover, with the spread of a 
broadband communication network (xDSL (x Digital Subscriber 
5 Line), CATV (Cable TV), a wireless network or the like), a 
mechanism capable of transmitting the distribution of digital 
data such as music data, image data or electronic publication 
and even rich contents such as a motion picture without giving 
any stresses to a user is now being arranged. 

10 On the other hand, the distributed contents are digital 

data, and therefore, an unauthorized operation such as copy 
or falsification can be relatively easy to perform. Moreover, 
a fraud such as the copy or the falsification of the contents 
is currently frequently committed, which is a main cause of 

15 hampering the interest of a digital-content vendor. As a 
result, a vicious cycle that the price of the contents must 
be increased to result in the hindrance of diffusion is 
generated . 

For example, recently, the technology of a computer, 
20 a network or the like is steadily spreading to general 
households. An information device such as a personal 
computer for home use or a PDA (Personal Digital Assistants) 
and, in addition, various information home appliances such 
as a television set and a video playback device are 
25 interconnected via a home network. In many cases, such a home 
network is interconnected to an external broadband network 
including the Internet via a router. After the contents 
legitimately acquired from a server on the Internet are stored 
in a server on the home network (hereinafter, referred to as 
30 a "home server"), the contents are distributed via the home 
network to another in-home terminal (client) . 
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Under the copyright law, the contents as copyright work 
are protected against unauthorized use such as unauthorized 
copy or falsification. On the other hand, an authorized user 
is allowed to copy the contents for private use, that is, for 
5 personal use, family use or other similar uses within a 
limited circle (see Copyright Law of Japan, Article 30). 

If the scope of private use is applied to the 
above-described home network, the client terminal connected 
to the home network is supposed to be within the scope of 

10 personal use or family use. Therefore, it is considered that 
it is appropriate for the client terminal on the home network 
to make free use of the legitimately acquired contents in the 
home server (it is apparent that the number of terminals which 
can enjoy the contents is required to be limited to a certain 

15 number) . 

With a current technique, however, it is difficult to 
determine whether a client terminal logging into the home 
network is within the scope of private use or not. 

For example, since the home network is interconnected 

20 to an external network via a router based on an IP protocol, 
the home server does not know where a client making access 
actually is. If the home server provides the contents to 
external (remote) access, the use of the contents is 
substantially unrestrained. Therefore, the copyright for 

25 the contents is almost unprotected. As a result, a content 
creator may lose the motivation of the creation. 

Furthermore, if the home server allows the client 
terminal in the home network to use the contents in the same 
manner, the same client terminal logs into a plurality of home 

30 networks at time intervals. As a result, it can use the 
contents almost unrestrictedly. 
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On the other hand, if strict restrictions are imposed 
on the client terminal, a user cannot ensure the private use 
fundamentally allowed by the copyright law. As a result, the 
user cannot satisfactory enjoy the contents.. Accordingly 
5 since the use of a home server or a content-distribution 
service is not well promoted, the development of content 
business itself may be impeded. 

For example, in consideration of the fact that a user 
who legitimately purchases copyright work is allowed for free 

10 use of it, a method for more easily obtaining consent from 
an owner of the rights to the contents for the copy and the 
use of information on a network by the user has been proposed 
(see, for example, Japanese Patent Application Publication 
No. 2002-73861) . However, this method classifies users 

15 depending on the level of relation with the owner of the rights 
to the use of information and distributes the information by 
a different distribution method for each level of the relation. 
This method does not identify the extent of the scope of 
private use on the network. 

20 Meanwhile, as a protocol constituting the home network, 

for example, an UPnP (registered trademark) has been known. 
The UPnP allows easy network construction without any 
complicated operations and allows a content-providing 
service between network-connected devices without any 

25 difficult operations and setting. Moreover, the UPnP is 
advantageous in that it is not dependent on an operating 
system (OS) and the addition of a device is easy. 

In the UPnP, network-connected devices exchange a 
definition file described in an XML (extended Markup 

30 Language) format for mutual authentication. The outline of 
processing of the UPnP is as follows. 
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(1) Addressing process : its own device ID such as an IP address 
is acquired. 

(2) Discovery process: each device on a network is searched 
so as to acquire information such as device type or a function 

5 contained in a response received from each device. 

(3) Service request process: a request is made for a service 
to each device based on information acquired by the discovery 
process . 

By such a processing procedure, a service can be 

10 provided and received using network-connected devices. A 
device to be connected to the network acquires a device ID 
by the addressing process and acquires information for other 
devices on the network by the discovery process, thereby 
enabling a service request. 

15 The contents stored in the home server can be accessed 

from other devices on the home network. For example, the 
contents can be acquired by a device implementing the UPnP 
connection. If the contents are video data or audio data, 
a TV or a player is connected as a network-connected device 

20 so that a movie or music can be enjoyed. 

However, in the device within the home network, for 
example, in the home server, the contents requiring copyright 
management such as private contents or pay contents are stored. 
Therefore, it is necessary to consider the countermeasure 

25 against unauthorized access. 

It is natural that access from a device of a user having 
the rights to the use (a license) of the contents is allowed. 
However, in a home network environment interconnected to the 
external network via a home router, even a user without a 

30 license can get into the home network. 

In order to exclude unauthorized access, for example, 
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the home server is made to have a list of clients whose access 
is allowed so that collation with the list is executed each 
time access to the home server is requested from a client. 
In this way, unauthorized access can be excluded. 

For example, MAC address filtering is known, which uses 
a MAC (Media Access Control) address corresponding to a 
physical address unique to each communication apparatus to 
set it as an access-allowable device list. More specifically, 
a MAC address of each device whose access is allowed is 
registered on a router or a gateway for isolating the internal 
network such as the home network and the external network from 
each other. A MAC address assigned to a received packet and 
the registered MAC address are collated with each other. 
Access from a device with an unregistered MAC address is 
refused (see, for example, Japanese Patent Application 
Publication No. 10-271154). 

In order to construct the access-allowable device list, 
however, it is necessary to check the MAC addresses of all 
the devices connected to the internal network. Moreover, 
efforts to input all the acquired MAC addresses so as to create 
a list are required. Furthermore, in the home network, a 
connected device is relatively frequently changed. 
Therefore, the access-allowable device list has to be 
modified for each such change. 

Disclosure of the Invention 

An object of the present invention is to provide 
preferable device-to-device authentication system, 
device-to-device authentication method, communication 
apparatus and computer program, which are capable of suitably 
managing the use of the contents between devices on a home 
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network connected to an external network via a router. 

Another object of the present invention is to provide 
preferable device-to-device authentication system, 
device-to-device authentication method, communication 
5 apparatus and computer program, which are capable of suitably 
managing so that each client terminal on a home network uses 
the contents legitimately acquired on a home server within 
the scope of private use allowed by the copyright law. 

The present invention is devised in view of the above 

10 problems. A first aspect thereof is a device-to-device 
authentication system for authenticating a device on a home 
network connectable to an external network via a router, 
characterized by including: local environment management 
means for confirming whether or not another device making 

15 access to the device on the home network is present on the 
home network. 

However, a "system" herein means a logical assembly of 
a plurality of apparatuses (or functional modules for 
realizing a specific function*) , and each apparatus or 
20 functional module may be or may not be present in a single 
box body. 

Herein, one of the devices is a home server for 
legitimately acquiring the contents from the external network 
via the router or through package media or broadcast reception, 

25 whereas the other device is a client for making a request for 
the contents to the home server for use. After the 
confirmation of the presence of both the devices on the same 
home network, the home server provides the contents and/or 
issues a license for the contents to the client. 

30 Under the copyright law, the contents as copyright work 

are protected against unauthorized use such as unauthorized 
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copy or falsification. On the other hand, an authorized user 
is allowed to copy the contents for private use, that is, for 
personal use, family use or other similar uses in a limited 
circle. 

5 Accordingly, in the present invention, on the 

assumption that a client terminal in the home network falls 
within the scope of private use, only a client under a local 
environment can use the contents stored on a home server. 

Two or more home servers can be installed on the home 

10 network. In such a case, since client terminals on the same 
home network are under a local environment, each home server 
registers them as members to form a group in an independent 
manner so as to distribute the contents and to issue a license 
for the use of the contents . Furthermore, the client terminal 

15 can be registered as a member simultaneously on two or more 
home servers on the same home network to belong to a plurality 
of groups and can acquire a license of the contents from each 
of the home servers . 

Also in this case, since the client terminal is under 

20 a local environment for each of the home servers and therefore 
is supposed to fall within the scope of personal or family 
use, it is appropriate for it to make free use of the contents 
of each of the home serves in the local environment. 

On the other hand, even if the client terminal can be 

25 registered on a plurality of home servers as a member at the 
same time, it should not be allowed to belong to a plurality 
of groups of home servers over a plurality of home networks 
at time intervals. This is because the connection to another 
home network corresponds to the move of the client terminal 

30 to a remote environment for the first connected home network 
or the connection to one home network is equivalent to the 
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presence of the client terminal in a remote environment for 

the other home networks. 

Therefore, a client can use the contents acquired from 

a plurality of home servers on the same home network. . However, 
5 upon connection to a home server on an other home network, 

the client can not use the contents acquired from home servers 

on the home networks other than said other home network. 

The local environment management means can confirm the 

presence or the absence a device making an access request on 
10 the same home network by, for example, the identification or 

the non-identification of a MAC address of a device making 

an access request with a MAC address of a router set as a 

default gateway. 

The home network is connected to the external network 
15 via the home router. If access is made from the same network, 

a source MAC address is assigned thereto. In the case of 

external access via the router, however, a source is rewritten 

to the MAC address of the router. Using such an existing 

mechanism of an IP protocol, a MAC address of the device on 
20 the other side of communication is compared with the MAC 

address of the home router so as to automatically identify 

if it is access from the home network. 

Alternatively, the local environment management means 

can confirm the presence or the absence on the same home 
25 network based on whether or not the respective devices share 

the same identification information regarding the home 

network . 

For example, each of the devices acquires the MAC 
address of the router set as the default gateway as 
30 identification information regarding the home network. The 
presence or the absence on the home network is confirmed based 
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on whether or not the devices have the MAC address of the same 
default gateway. 

Alternatively, a local environment management 
apparatus for supplying network identification information 
5 is installed on the home network so that each device acquires 
a MAC address of the local environment management apparatus 
as identification information regarding the home network. 
The presence or the absence on the same network can be 
confirmed based on whether or not the devices have the MAC 

10 address of the same local environment management apparatus. 

A second aspect of the present invention is a computer 
program described in a computer-readable format so as to 
execute a process for authenticating a device, on a home 
network connected to an external network via a router, on 

15 which a home server for legitimately acquiring the contents 
from the external network and a client making a request for 
the contents for use are present, the computer program 
characterized by including: a local environment management 
step of confirming whether or not the home server and the 

20 client are present on the home network; and a 
content-provision step of providing the contents and/or 
issuing a license for the contents to the client by the home 
server in response to the confirmation of the presence of both 
the devices on the same home network by the local environment 

25 management step. 

The computer program according to the second aspect of 
the present invention defines a computer program described 
in a computer-readable format so as to realize a predetermined 
process on a computer system. In other words, the computer 

30 program according to the second aspect of the present 
invention is installed on a computer system, so that a 
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cooperative function is demonstrated on the computer system. 
As a result, the same effects as those of the device-to-device 
authentication system according to the first aspect of the 
present invention can be obtained. 
5 The other objects , features and advantages of the 

present invention will be apparent from the detailed 
description based on the following embodiments of the present 
invention and the accompanying drawings . 

10 Brief Description of Drawings 

Fig. 1 is a diagram schematically showing a basic 
structure of a home network; 

Fig. 2 is a diagram showing an exemplary structure of 
a home network on which two home servers are present; 
15 Fig. 3 is a diagram showing a state where a client 

terminal is connected to a plurality of home networks; 

Fig. 4 is a diagram schematically showing a structure 
of a home network according to one embodiment of the present 
invention; 

20 Fig. 5 is a diagram schematically showing a structure 

of a home network according to another embodiment of the 
present invention; 

Fig. 6 is a diagram schematically showing a hardware 
structure of a host apparatus connected to the home network 
25 as a server, a client or the like; 

Fig. 7 is a diagram showing an operation sequence on 
a home network according to the present invention; 

Fig. 8 is a diagram showing a structure of a local 
environment management table; 
30 Fig. 9 is a flowchart showing a processing procedure 

for use of the contents on a client terminal; 
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Fig. 10 is a diagram showing a variation of the home 
network illustrated in Fig. 4; 

Fig. 11 is a diagram showing an operation sequence on 
a home network according to the present invention; and 
5 Fig. 12 is a diagram showing a variation of Fig. 10. 

Best Mode for Carrying' Out the Invention 

Hereinafter, embodiments of the present invention will 
be described in detail with reference to the drawings. 

10 Under the copyright law, the contents as copyright work 

are protected against unauthorized use such as unauthorized 
copy or falsification. On the other hand, an authorized user 
is allowed to copy the contents for private use, that is, for 
personal use, family use or other similar uses in a limited 

15 circle (see Copyright Law of Japan, Article 30) . 

On the assumption that a client terminal in a home 
network (hereinafter, also referred to as a "local 
environment") falls within the scope of private use,, the 
inventors of the present invention propose a system in which 

20 only a client under the local environment can use the contents 
stored on a home server. 

Herein, the definition of the local environment will 
be described. 

Fig. 1 schematically shows a basic structure of a home 
25 network. As shown in the drawing, a home network installed 
in home is connected to an external network such as the 
Internet via a home router. 

On the home network, a home server and at least one 
client terminal are present. The home server legitimately 
30 acquires and stores the contents from a content server on the 
external network via the home router to distribute the 
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contents in home. It is apparent that the home server can 
acquire the contents by means other than the network, such 
as package media or broadcast reception. Each client 
terminal makes a request for desired contents to the home 
5 server so as to acquire them for use. 

The client terminals connected to the home network are 
present under the local environment, and it is supposed that 
they are within the scope of personal or family use. 
Therefore, it is considered that it is appropriate for the 

10 client terminals on the home network to make free use of the 
contents legitimately acquired on the home server. 
Accordingly, the home server registers the client terminals 
under the local environment as members and issues a license 
for the contents distribution and the use of the contents. 

15 It is apparent that the number of terminals capable of 
enjoying the contents is required to be limited to a certain 
number because unlimited connection by the client is not 
allowable . 

Under the local environment, the client terminal 
20 acquires the contents from the home server, uses the contents 
such as for copy or streaming and can also take the contents 
out of the local environment (into a remote environment) for 
use . 

On the other hand, a client terminal that is not present 
25 on the home network, that is, in a remote environment, is not 
considered to be within the scope of personal or family use. 
If the client terminal in the remote environment is allowed 
to use the contents, the use of the contents is substantially 
unrestrained. As a result, the copyright for the contents 
30 is almost unprotected. Therefore, the home server neither 
registers the client in the remote environment as a member 
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nor issues a license of the contents. 

In the example shown in Fig. 1, only one home server 
is present on the home network. However, it is apparent that 
two or more home servers may be installed on the same home 
5 server so that each of the home servers independently provides 
a distribution service of the contents in the home network. 

Fig. 2 shows an exemplary structure of the home network 
on which two home servers are present. 

In this case, since client terminals on the same home 

10 network are under a local environment, each of the home 
servers independently registers them as members to form a 
group so as to distribute the contents and to issue a license 
for the use of the contents. The client terminal acquires 
the contents from the home server, uses the contents such as 

15 for copy or streaming and can also take' the contents out of 
the local environment (into a remote environment) for use. 

Furthermore, the client terminal can be registered 
simultaneously on two or more home servers on the same home 
network as members to belong to a plurality of groups and can 

20 acquire a license of the contents from each of the home servers . 
In this case, the client terminal is also present under the 
local environment for the respective home servers and 
therefore it is supposed that it is within the scope of 
personal or family use. Therefore, it is considered that it 

25 is appropriate for the client to make free use of the contents 
of each of the home servers in the local environment. 

On the other hand, even if the client terminal can be 
registered on a plurality of home server as a member at the 
same time, it should not be allowed to belong to a plurality 

30 of groups of home servers over a plurality of home networks 
at time intervals (see Fig. 3) . 
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This is because the connection to another home network 
is corresponding to the move of the client terminal to a remote 
environment for the first connected home network or the 
connection to one home network is equivalent to the presence 
5 of the client terminal in a remote environment for the other 
home networks. The local environment is within the personal 
or family scope, whereas the remote environment departs from 
the personal or family scope. 

It is technically possible for the client terminal to 

10 be connected to a plurality of home networks at time intervals . 
However, if the use of the contents is successively allowed 
with the connection, the use of the contents is substantially 
unrestrained. As a result, the copyright for the contents 
is almost unprotected. 

15 Summarizing the above, in order to realize a local 

environment that is supposed to be within the scope of 
personal or family use on the home network, the followings 
are derived as necessary conditions. 

(1) The home server does not allow member registration from 
20 outside of the home network; and 

(2) When two or more home servers are present in the same home 
network, member registration and group management are 
performed for each of the home servers. Each of the clients 
on the home network can be registered on two or more home 

25 servers. However, the home servers simultaneously accepting 
the registration must be present in the same home network. 

In order to realize such a local environment, a 
mechanism for identifying whether or not the home server and 
the client terminal are present on the same home network is 
30 required between them. 

A current network protocol does not provide any 
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mechanism for identifying a network, such as a home network, 
by segment. Therefore, in view of the connection of the home 
. network to the external network via the home router, using 
an existing mechanism of an IP protocol that access from the 
5 same network is provided with a source MAC address whereas 
a source is rewritten to a MAC address of a router in the case 
of external access via a router, the inventors of the present 
invention propose a method of automatically identifying if 
access is made from the home network by comparing a MAC address 
10 of the device on the other side of communication with a MAC 
address of the home router. 

Hereinafter, embodiments of the present invention will 
be described in detail with reference to the drawings. 

Fig. 4 schematically shows a structure of a home network 
15 according to an embodiment of the present invention. 

A home network installed in home is connected to a WAN 
such as the Internet or another LAN via a home router. The 
home router is set as a default gateway of the home network. 

The home network is constituted by, for example, 
20 connecting a LAN cable of a host apparatus such as a home server 
or a client terminal to a hub (concentrator) . 

The host apparatuses on the home network, such as the 
home server, the client terminal and the home router, and a 
host apparatus on the external network have MAC addresses, 
25 each being unique to a device. The host apparatus transmits 
and receives a packet including header information containing 
a destination MAC address and a source MAC address, for 
example, an Ethernet (registered trademark) frame via the 
network. 

30 The host apparatuses on the home network, such as the 

home server and the client terminal, are constituted as, for 
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example, UPnP-compatible devices. In this case, the 
addition and the deletion of a connected device to/from the 
network are easy. A device to be connected to the network 
can enjoy service on the home network such as the use of the 
5 contents in accordance with the following procedure. 

(1) Addressing process : its own device ID such as an IP address 
is acquired. 

(2) Discovery process: each device on a network is searched 
so as to acquire information such as device type or a function 

10 contained in a response received from each device. 

(3) Service request process: A request for a service is made 
to each device based on information acquired by the discovery 
process . 

On the home network, a local environment that is 
15 supposed to be within the scope of personal or family use is 
formed. Therefore, the home server legitimately acquires 
and stores the contents from a content server on the external 
network via the home router to distribute the contents in home. 
Each of the client terminals is allowed to make a request for 
20 desired contents to the home server and acquires them for use. 

Under the local environment, the client terminal 
acquires the contents from the home server and uses the 
contents such as for copy or streaming. Furthermore, it can 
take the contents out of the local environment (into the 
25 remote environment) for use. 

Fig. 5 schematically shows a structure of a home network 
according to another embodiment of the present invention. 

The home network is connected to a WAN such as the 
Internet or another LAN via the home router. In this case, 
30 the home router is also set as a default gateway of the home 
network. 
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This differs from Fig. 4 in that two home servers are 
present on the home network. The respective home servers may 
be simultaneously present on the home network or may be 
connected at a time interval. 
5 In this case, since the client terminals on the same 

home network are under the local environment, each of the home 
servers registers them as members to form a group so as to 
distribute the contents and to issue a license for the use 
of the contents. The client terminal acquires the contents 

10 from the home server, uses the contents such as for copy or 
streaming and can also take the contents out of the local 
environment (into a remote environment) for use. 
Furthermore, the client terminal can be registered 
simultaneously on two or more home servers on the same home 

15 network as members to belong to a plurality of groups and can 
acquire a license of the contents from each of the home 
servers. 

Fig. 6 schematically shows a hardware structure of a 
host apparatus connected to the home network as a server, a 
20 client or the like. 

The system is constituted mainly of a processor 10 . The 
processor 10 executes various processes based on a program 
stored in a memory. The processor controls various 
peripheral devices connected through a bus 30. The 
25 peripheral devices connected to the bus 30 are as follows. 

A memory 2 0 is constituted of a semiconductor memory, 
for example, a DRAM (Dynamic RAM) or the like and is used to 
load a program code executed in the processor 10 or to 
temporarily store operation data of an execution program. 
30 A display controller 21 generates a display image in 

accordance with a draw command sent from the processor 10 and 
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transmits it to a display device 22. The display apparatus 
22 connected to the display controller displays and outputs 
the image on a screen in accordance with display image 
information transmitted from the display controller 21. 
5 An input/output interface 23 , to which a keyboard 2 4 

and a mouse 25 are connected, transfers an input signal from 
the keyboard 24 or the mouse 25 to the processor 10. 

A network interface 2 6 is connected to the external 
network such as a LAN and the Internet and controls data 

10 communication through the Internet. Specif ically, it 
transfers data transmitted from the processor 10 to another 
apparatus on the Internet and receives data transmitted 
through the Internet so as to pass it to the processor 10. 

A hard disk drive (HDD) controller 27, to which a 

15 high-capacity external storage apparatus 28 such as an HDD 
is connected, controls the input and output of data to the 
HDD 28 to which the HDD controller 27 is connected. The HDD 
2 8 stores a program of an operating system (OS), an 
application program, a driver program and the like to be 

20 executed by the processor. The application program is, for 
example, a server application for authenticating each client 
terminal on the home network as the home server or for 
providing the contents or issuing a license, a client 
application for use of the contents such as for reproduction 

25 of the contents provided by the server or the like, and the 
like . 

In order to constitute the host apparatus, a large 
number of electric circuits or the like are required in 
addition to those illustrated in Fig. 6. However, since they 
30 are known to those skilled in the art and do not constitute 
the gist of the present invention, they are omitted in this 
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specification. Moreover, it should be understood that each 
connection between hardware blocks in the drawing is only 
partially illustrated in order to avoid the complication of 
the drawing. 

5 Fig. 7 shows an operation on the home network according 

to this embodiment. It is assumed that at least a client 
terminal, two home servers and a home router are present on 
the network and the home router is set as the default gateway. 

The client terminal acquires the contents from the home 

10 server and uses the contents such as for copy or streaming. 
Prior to the start of a content-distribution service, each 
home server acquires a MAC address of the default gateway from 
the home router. 

For access to the server, the client terminal first 

15 acquires the MAC address of the default gateway and transmits 
an access request with the acquired MAC address to the server. 

The server, to which the access request is made, fetches 
the source MAC address from a request packet and compares it 
with the MAC address of the default gateway which is acquired 

20 in advance by itself. If it is access from the same network, 
the source MAC address is assigned thereto. However, if it 
is external access via the router, the source is rewritten 
to the MAC address of the router. Therefore, based on the 
identification or non-identification of the source MAC 

25 address with the MAC address of the default gateway, it can 
be easily determined whether or not the request-source client 
is on the same network, that is, in the local environment. 
If it is in the local environment, the requested contents are 
distributed and a license thereof is issued. However, if it 

30 is not in the local environment, the request is refused. The 
use of the contents is allowed between the devices only in 
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the thus formed local environment, thereby effectively 
restraining the unauthorized distribution of the contents. 

Upon reception of a response packet from the 
request-destination server, the client terminal fetches the 
5 MAC address and a server name of the server and stores them 
with the MAC address of the default gateway acquired prior 
to the access request as a set in the local environment 
management table. 

Fig. 8 schematically shows a structure of the local 

10 environment management table. In the illustrated local 
environment management table, a record is entered each time 
a request for the contents is made to a new server. In each 
record, a LAST flag, a network identification ID, and a MAC 
address and a server name of a server are stored. As the 

15 network identification ID, the MAC address of the default 
gateway acquired prior to the access to the server is 
described. As the LAST flag, a flag is set to a record of 
the last accessed server. 

The example illustrated in Fig. 8 shows a history of 

20 the client terminal making access to a server SI on a home 
network connected to a home router A, access to a server S2 
on the home network connected to the home router A, and access 
to a server S3 on a home network connected to a home router 
B. The last access made by the client terminal is to the 

25 server S2 on the home network connected to the home router 
A. 

The client terminal can be registered simultaneously 
on two or more home servers on the same home network as members 
to belong to a plurality of groups and can acquire a license 
30 for the contents from each of the home server . This is because, 
in this case, the client terminal is present under the local 
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environment for each of the home servers and therefore is 
supposed to be within the scope of personal or family use. 

On the other hand, if the client terminal is connected 
to another home network at a time interval, it corresponds 
5 to a move of the client terminal to a remote environment for 
the first connected home network at that time. The collation 
of the MAC address of the default gateway obtained by the 
client terminal upon access to the server on the local 
environment management table allows the determination of the 

10 movement between the home networks . 

The client terminal acquires the contents from the home 
server, uses the contents such as for copy or streaming and 
can further take the contents out of the local environment 
(into a remote environment) for use. However, it is not 

15 allowable to connect to a plurality of home networks at time 
intervals so as to use the sequentially acquired contents in 
an unrestrained manner. Therefore, in this embodiment, the 
use of the contents on the client terminal is limited to those 
acquired from the currently connected home network. 

20 The LAST flag in the local environment management table 

shown in Fig. 8 indicates the last accessed home server. In 
this embodiment, it is defined that the home network on which 
the last accessed home server is present is the current local 
environment for the client terminal. Therefore, it is 

25 supposed that the home server having the MAC address of the 
same default gateway as that of the home server to which the 
LAST flag is assigned is present in the local environment. 

Fig. 9 shows a processing procedure for the use of the 
contents on the client terminal in the form of flowchart. 

30 When the contents are to be used (reproduced) on the client 
terminal, the local environment management table is referred 
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to so as to determine whether or not there are any other servers 
having the MAC address of the same default gateway as that 
of the record to which the LAST flag is set (step SI) . The 
contents acquired from the server having the same MAC address 
5 are rendered available (step S2), whereas the contents 
acquired from the other servers are rendered unavailable 
(step S3) . 

In the above-described embodiment, using the existing 
mechanism of the IP protocol that the source MAC address is 

10 assigned to the access from the same network while the source 
is rewritten to the MAC address of the router in the case of 
the external access via the router, the access is 
automatically identified to be that from the home network or 
not by comparing the MAC address of the one in communication 

15 with the MAC address of the home router. However, a method 
of identifying the presence of the host apparatus on the same 
home network is not limited thereto. 

Fig. 10 shows a variation of the home network shown in 
Fig. 4. In the illustrated example, the home network is 

20 connected to a WAN such as the Internet or to another LAN via 
the home router. Although the home router is set as the 
default gateway of the home network, it is optional. 

The home network is constituted by connecting a LAN 
cable of the host apparatus such as the home server or the 

25 client terminal to the hub . This embodiment differs from Fig . 
4 in that a local identification apparatus for imparting the 
identification function to the home network is connected to 
the home network. 

The local environment that is supposed to be within the 

30 scope of personal or family use is formed on the home network. 
Therefore, the home server legitimately acquires and stores 
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the contents from the content server on the external network 
via the home router so as to distribute the contents in home. 
Each client terminal is allowed to make a request for desired 
contents to the home server and acquires them for use (idem) . 
5 Fig. 11 shows an operation on the home network 

illustrated in Fig. 10. 

The client terminal acquires the contents from the home 
server to use the contents such as for copy and streaming. 
Prior to the start of a content-distribution service, each 
10 home server acquires a MAC address of the local identification 
apparatus . 

For access to the server, the client terminal first 
acquires the MAC address of the local identification 
apparatus and transmits an access request with the acquired 

15 MAC address to the home server. 

The server, to which the access request is made, fetches 
the MAC address of the local identification apparatus from 
the request packet and compares it with the MAC address of 
the local identification apparatus acquired in advance by 

20 itself. Then, it is determined in a simple manner whether 
or not the request-source client is on the home network, that 
is, in the local environment based on the identification or 
the non-identification of the two MAC addresses. In the case 
where it is in the local environment, the requested contents 

25 are distributed and a license thereof is issued. In the case 
where it is not in the local environment, the request is 
refused. The use of the contents between the devices only 
in the thus formed local environment is allowed, so that the 
unauthorized distribution of the contents can be effectively 

30 restrained. 

Upon reception of a response packet from the 
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request-destination server, the client terminal fetches the 
MAC address and the server name of the server and stores them 
with the MAC address of the local identification apparatus 
acquired prior to the access request as a set in the local 
5 environment management table. In each record of the local 
environment management table in this case, the MAC address 
of the local identification apparatus is described in place 
of the MAC address of the default gateway. 

Fig. 12 shows a variation of the home network 

10 illustrated in Fig. 10. As illustrated, in addition to being 
connected to the home network as a dedicated device, the local 
identification apparatus can be constituted to be 
incorporated into the home router or another host apparatus 
on the home network. 

15 As a necessary condition of the local identification 

apparatus, the constant response to a request from the client 
terminal can be given. For this reason, it is preferred that 
the local identification apparatus is always powered ON and 
at least one local identification apparatus exists in home. 

20 Since the home server is, for example, a TV set or a video 
recording/playback apparatus and these devices are not 
necessarily constantly activated (the local environment 
cannot be confirmed because they are not powered ON), it is 
not satisfactory as a requirement for the local 

25 identification apparatus. On the other hand, since each 
household has one refrigerator and the refrigerator is always 
powered ON, it satisfies the requirement as the local 
identification apparatus. In addition, since the 

refrigerator is heavy and therefore is fixed and unmovable, 

30 the secondary effect that it is difficult to take it out to 
commit a fraud can be obtained. 
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Moreover, two or more local identification apparatuses 
may be present" on a single home network. In this case, the 
client terminal specifies the local identification apparatus 
to make a request for authentication. On the contrary, the 
5 server specifies the local identification apparatus to make 
a request for authentication. Alternatively, the client 
terminal makes a request for authentication to the local, 
identification apparatus while specifying the server so that 
the local identification apparatus performs the 

10 authentication with the server. 

The collation of the MAC addresses of the devices is 
used for the authentication between the devices in the 
embodiment described in this specification; it is presupposed 
that the home router and the local identification apparatus 

15 have the MAC addresses in such a form that is difficult to 
falsificate by using encryption means. 

Supplement: 

The present invention has been described in detail 
20 above with reference to specific embodiments. However, it 
is obvious that those skilled in the art can modify or 
substitute the embodiments without departing from the gist 
of the present invention. Specifically, the present 
invention is disclosed only by way of example, and therefore 
25 the description of the specification should not be read as 
limitative. In order to determine the gist of the present 
invention, the claims should be taken into consideration. 

Industrial Applicability 

30 According to the present invention, preferable 

device-to-device authentication system, device-to-device 
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authentication method, communication apparatus and computer 
program, which are capable of suitably managing the use of 
the contents between devices on a home network connected to 
an external network via a router, can be provided. 

Moreover, according to the present invention, 
preferable device-to-device authentication system, 
device-to-device authentication method, communication 
apparatus and computer program, which are capable of suitably 
managing so that each client terminal on a home network uses 
the contents legitimately acquired on a home server within 
the scope of private use allowed by the copyright law, can 
be provided. 

According to the present invention, the use of the 
contents is allowed between devices only in a local 
environment, so that the unauthorized distribution of the 
contents can be effectively restrained. 



